Computers have evolved to tools for many applications and service. In today's world a trustworthy computing environment becomes more and more a desire. Comprehensive trust, security, and privacy functions are required to establish multi-party trust between devices, upon which content providers, application and service providers, consumers, enterprises and financial institutions, and particularly users can rely.
For that, a trusted platform module (TPM) has been established. The role of the module is to offer protected storage, platform authentication, protected cryptographic processes and attestable state capabilities to provide a level of trust for the computing platform. The foundation of this trust is the certification by a recognized authority that the platform can be trusted for an intended purpose. A so-called trusted computing group (TCG) will further develop and promote open industry standard specifications for trusted computing hardware building blocks and software interfaces across multiple platforms, including PC's, servers, PDA's, and digital phones. This will enable more secure data storage, online business practices, and online commerce transactions while protecting privacy and individual rights. Users will have more secure local data storage and a lower risk of identity theft from both external software attack and physical theft.
To realized the functionality of attestable states, an issuer issues a certificate to the trusted platform module, hereafter also abbreviated as TPM, as to allow the TPM to later prove that it is a genuine TPM and therefore a verifying party can have confidence stated attested by the TPM. To allow the TPM to prove it is genuine without that the verifying party can identify the TPM, a so-called direct anonymous attestation (DAA) protocol has been specified by the trusted computing group. The protocol allows the TPM to convince a verifying party that it obtained attestation by an issuer without revealing its identity. The protocol takes place in the following setting. The issuer has made available a public key (n, R.sub.0, R.sub.1, S, Z). With each TPM a so-called endorsement key is associated. This key is an RSA encryption key pair, the secret key of which is available to the TPM. In order to get attestation, the TPM and the issuer run a first protocol. During the protocol, the TPM sends the issuer values U=R.sub.0.sup.f0R.sub.1.sup.f1S.sup.v′ mod n and N.sub.I=.zeta..sub.I.sup.f0+kf1, where k is a system parameter and .zeta..sub.I is a so-called named base value determined by the issuer. The value U is authenticated using the TPM's endorsement key. The TPM also proves to the issuer that N.sub.I is correctly computed w.r.t. U, i.e., that they contain the same values of f0 and f1. Having received U and N.sub.I, the issuer chooses an appropriate prime e and a value v″, computes the valueA=(Z/US.sup.v″).sup.(1/e)mod n and sends the TPM A, e, and v″. The TPM sets v=v′+v″. Thus it turns out thatA.sup.eR.sub.0.sup.f0R.sub.1.sup.f1 S.sup.v=Z (mod n), i.e., the TPM has obtained attestation from the issuer.
Now, the TPM can convince the verifying party with a second protocol, herein also referred to DAA-sign operation, that it has obtained attestation without identifying itself. That is, the verifying party only receives a value N.sub.v that the TPM computed as .zeta..sup.v.sub.f0+kf1, where k is the same system parameter and .zeta..sub.v is a base or named base value determined by the verifier, and a proof that the TPM possesses values A, e, v, f0, and f1 such thatA.sup.eR.sub.0.sup.f0R.sub.1.sup.f1S.sup.V′=Z (mod n) and N.sub.v=.zeta..sub.v.sup.f0+kf1 holds. It is noticed that the verifying party does not learn any of the values A, e, v, f0, and f1. The verifying party can either allow the TPM or the user's computer to choose the value .zeta..sub.v randomly, in which case the verifying party does not receive any information at all; or the verifying party can request that the value .zeta..sub.v be computed otherwise and fixed for a certain time period, in which case the verifying party is able to note whether the same TPM has contacted it before by checking whether it has seen a given N.sub.v before.
In the execution of these two protocols, also a platform that uses the TPM takes part. This platform receives values from the TPM, possibly modifies them, and forwards them to the issuer or the verifying party. The platform then receives (reply) messages from the issuer or the verifying party, possibly modifies them, and feeds them to the TPM.
Using the same .zeta..sub.v with all TMP's and for a certain time period allows the verifying party to monitor whether some TPM overuses the service provided by the verifying party through monitoring how often a given value N.sub.v is used and thus to identify TMP's that are no longer genuine. However, it also allows the verifying party to do profiling and thus to invade into the privacy of a TMP's user, which is not desirable.
From the above it follows that there is still a need in the art for an improved protocol that prevents profiling and maintains privacy for transactions performable by the user device with parties while still allowing the verifying party to monitor overuse and identify rogue TMP's.